2 files changed, 6 insertions, 4 deletions

diff --git a/modules/notification/controllers/notification.php b/modules/notification/controllers/notification.php
index 94dcfddc..8722f890 100644
--- a/modules/notification/controllers/notification.php
+++ b/modules/notification/controllers/notification.php
@@ -19,6 +19,8 @@
  */
 class Notification_Controller extends Controller {
   function watch($id) {
+    access::verify_csrf();
+
     $item = ORM::factory("item", $id);
     access::required("view", $item);
 
diff --git a/modules/notification/helpers/notification_menu.php b/modules/notification/helpers/notification_menu.php
index f12d2832..539f6a76 100644
--- a/modules/notification/helpers/notification_menu.php
+++ b/modules/notification/helpers/notification_menu.php
@@ -27,10 +27,10 @@ class notification_menu_Core {
 
         $menu
           ->append(Menu::factory("link")
-               ->id("watch")
-               ->label(t("Enable notifications for this album"))
-               ->url(url::site("notification/watch/$item->id"))
-                   ->css_id($watching ? "gRemoveWatchLink" : "gAddWatchLink"));
+            ->id("watch")
+            ->label(t("Enable notifications for this album"))
+            ->url(url::site("notification/watch/$item->id?csrf=" . access::csrf_token()))
+            ->css_id($watching ? "gRemoveWatchLink" : "gAddWatchLink"));
       }
     }
   }